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DETAILED ACTION 

1 . This action is response to communication: RCE received 02/06/2009 

2. Claims 1-30 are current pending in tliis application. 

3. No new IDS has been received for this application. 

4. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
02/06/2009 has been entered. 

EXAMINER'S AMENDMENT 

5. An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

6. Authorization for this examiner's amendment was given in a telephone interview 
with Steven Chang (59,424) on 03/05/2009.. 

7. Mr. Steven Chang has sent in a revised amendment to the claims. These 
revised amendments correspond to the claims submitted on 1 1/06/2007. The claim set 
submitted on 12/04/2008 will be disregarded. Please replace all prior versions 
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(including the claim set submitted on 12/04/2008), and listings, of claims in the 
application with the following: 

Amendments to the Claims; 

Please replace all prior versions, and listings, of claims in the application with the 
following: 

1 . (currently amended) In a distributed network having a number of server 
computers and associated client devices, a network virus defense system, comprising: 

a network virus/worm sensor operable in a number of modes arranged to detect 
a computer virus or a computer worm in the network , the network virus/worm sensor 
switching from a first mode to a second mode when the computer virus or 
computer worm is detected, wherein in the first mode, such that the bandwidth of 
the network is minimallv affected substantia l ly unaff e ct e d i n a f i rst mod e in that 
received data packets are not removed from or added to network traffic, but are copied, 
and the copied data packets are used in detecting the computer virus, and 
wherein in the second mode, and wh e r ei n wh e n th e v i rus s e nsor d e t e cts th e 
computer v i rus, the v i rus sensor sw i tches to a second mode, where i n the 
received data packets are not copied and wh e r ei n a subset of the received d ata 
packets determined to be infected or suspected of being infected by the network 
virus/worm sensor are not returned to the network; 

a traffic controller coupled to the distributed network arranged to select 
original data packets, wherein the selected original data packets or a copy of the 
selected original data packets are forwarded to the network virus/worm sensor: 

a network virus sensor self registration module coupled to the network 
virus/worm sensor arranged to automatically self register the assoc i ated coupled 
network virus/worm sensor; 

a controller storing a rules engine used to store and source a plurality of 
detection rules for detecting computer viruses and worms , said controller and using 
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statistical results of observed abnormal events as recorded and monitored by the 
network virus/worm sensor a v i rus mon i tor , the abnormal events defined in policies 
and in the plurality of detection rules i n th e v i rus mon i tor , and wherein the networl< 
virus/worm sensor the v i rus mon i tor generates an abnormal behavior report which is 
evaluated by a sorvor wh i ch one of said server computers to determinerrdn an 
action to perform; and 

an anti-virus agent creation module arranged to create an anti-virus agent of 
ereate having a detection module, an infection module and a payload. 

2. (currently amended) A system as recited in claim 1 , wherein during 
an Initialization phase of the network virus/worm sensor, the network viru s/ worm 
sensor self registration module collects selected network environmental information 
and network configuration information. 

3. (previously presented) A system as recited in claim 2, wherein 
when the distributed network is an IP based type network, the selected network 
environmental information includes an IP address for all of the relevant client devices 
included in the IP-based type network. 

4. (original) A system as recited in claim 3, wherein the network 
configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor. 

5. (original) A system as recited in claim 4, wherein the network 
configuration information includes locations of all relevant server computers. 

6. (original) A system as recited in claim 5, wherein selected ones of the 
relevant server computers are identified as controllers. 
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7. (original) A system as recited in claim 6, wherein each of the identified 
controllers includes a rules engine used to store and source a plurality of detection rules 
for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 

procedures suitable for use by a system administrator for both preventing viral 
outbreaks and repairing any subsequent damage caused by a viral outbreak. 

8. (original) A system as recited in claim 7, wherein during the 
initialization phase, each of the rules engines associated with each of the identified 
controllers are updated with a set of detection rules for detecting computer viruses and 
worms. 

9. (original) A system as recited in claim 7, wherein during the 
initialization phase, each of the outbreak prevention policy distribution and execution 
engines associated with each of the identified controllers are updated with a set of anti- 
virus policies, a set of anti-virus protocols, and a set of anti-virus procedures. 

10. (canceled) 

1 1 . (currently amended)ln a distributed network having a number of server 
computers and associated client devices and a network virus /worm mon i tor sensor 
operable in a number of modes, a method of self registering a network virus defense 
system comprising: 

forwarding original data packets or a copy of the original data packets to 
the network virus/worm sensor using a traffic controller module coupled to the 
network virus/worm sensor; 

detecting a computer virus or a computer worm in the network , the network 
virus/worm sensor switchino from a first mode to a second mode when the 
computer virus or computer worm is detected, wherein in the first mode, s ueh 
that the bandwidth of the network is minimally affected substant i a ll y unaffoctod i n a 
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f i rst modo in that received data packets are not removed from or added to networl< 
traffic, but are copied, and the copied data packets are used in detecting the 
computer virus or computer worm, and wherein in the second mode, and where i n 
whon the v i rus sensor dotocts the computer v i rus, the v i rus sensor sw i tches to a 
second modo, whoro i n tine received data packets are not copied and where i n a 
subset of data packets determined to be infected or suspected of being infected bv the 
networl< virus/worm sensor are not returned to tlie network; 

automatically self registering the network/v i rus worm network virus/worm 
sensor using a network virus sensor self registration module coupled to the network 
virus/worm sensor: 

storing a rules engine used to store and source a plurality of detection rules for 
detecting computer viruses and worms and using statistical results of observed 
abnormal events as recorded and monitored bv the network virus/worm sensor a 
v i rus mon i tor , the abnormal events defined in policies and ]n_the plurality of detection 
rules in the v i rus mon i tor , and wherein the network virus/worm sensor v ifus 
mon i tor generates an abnormal behavior report which is evaluated by one of said 
server computers to a serv e r which determinerFsll an action to perform; 

providing v i rus c l ean i ng agents an anti-virus agent f rom known viruses and 
unknown viruses subsequently analyzed; an^ 

creating a detection module that detects whether a client device is infected with a 
virus and tr i ggers the i ntroduction of an ant i- v i rus infect i on modu l e^ 

creating an anti-virus infection module that overwrites so that the virus in 
the client devic e i s overwr i tten with the anti-virus agent: and 

creating an ant i- virus a g e nt a_payload i s cr e at e d based on features of the 
so l octod detected computer virus or computer worm and wh i ch performs as a 
c le an i ng/r e pa i r i ng pav l oad capab le of c le an i ng and r e pa i r i ng , wherein the 
payload cleans and repairs damage done to the client device. 



1 2. (previously presented) A method as recited in claim 1 1 , further 

comprising: 
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during an initialization phase of the network virus/worm sensor, collecting 
selected network environmental information and network configuration information by 
the network virus/worm self registration module. 

13. (previously presented) A method as recited in claim 12, 
wherein when the distributed network is an IP based type network, the selected network 
environmental information includes an IP address for all of the relevant client devices 
included in the IP-based type network. 

14. (original) A method as recited in claim 13, wherein the network 
configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor. 

15. (original) A method as recited in claim 14, wherein the network 
configuration information includes locations of all relevant server computers. 

16. (original) A method as recited in claim 15, wherein selected ones of 
the relevant server computers are identified as controllers. 

17. (previously presented) A method as recited in claim 16, 
wherein each of the identified controllers includes a rules engine used to store and 
source a plurality of detection rules for detecting computer viruses and worms and an 
outbreak prevention policy (OPP) distribution and execution engine that provides a set 
of anti-virus policies, protocols, and procedures suitable for use by a system 
administrator for both preventing viral outbreaks and repairing any subsequent damage 
caused by a viral outbreak. 

18. (original) A method as recited in claim 17, further comprising: 
during the initialization phase. 
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updating each of the rules engines associated with each of the identified 
controllers with a set of detection rules for detecting computer viruses and worms. 

1 9. (original) A method as recited in claim 1 7, further comprising: 

during the initialization phase, 

updating each of the outbreak prevention policy distribution and execution 
engines associated with each of the identified controllers with a set of anti-virus policies, 
a set of anti-virus protocols, and a set of anti-virus procedures. 

20. (currently amended) A method as recited in claim 1 1 , wherein in a 
first mode the bandwidth of the network is substantially unaffected by the network 
virus/worm v i rus/mon i tor sensor, the network virus/worm v i rus/mon i tor sensor not 
removing or adding network traffic but copying data packets, and wherein when the 
network virus/worm sensor detects a computer virus or a computer worm, the 
virus/worm sensor switches to a second mode such that only those data packets 
infected by the computer virus are not returned to the network. 

21 . (currently amended)ln a distributed network having a number of server 
computers and associated client devices, computer program product for self registering 
a network virus defense system, that includes a network virus/worm sensor operable in 
a number of modes arranged to detect a computer virus or a computer worm in the 
network, comprising: 

computer code for forwarding original data packets or a copy of the 
original data packets to the network virus/worm sensor using a traffic controller 
module coupled to the network virus/worm sensor; 

computer code for detecting a computer virus or a computer worm in the 
network , the network virus/worm sensor switching from a first mode to a second 
mode when the computer virus or computer worm is detected, wherein in the first 
mode, s uch that the bandwidth of the network is minimally affected s ubstant i a ll y 
unaffoctod i n a f i rst mode in that received d ata packets are not removed from or 
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added to network traffic, but are copied, and the copied data packets are used in 
detecting the computer virus or computer worm, and wherein in the second 

sensor sw i tches to a second mode, where i n the received data packets are not 
copied and whoro i n a subset of data packets determined to be infected or suspected of 
being infected are not returned to the network; 

computer code for automatically self registering tlie network virus/worm 
sensor by a network virus sensor self registration module coupled to the network 
virus/worm sensor: 

computer code for storing a rules engine used to store and source a plurality of 
detection rules from detecting computer viruses and worms and using statistical results 
of observed abnormal events as recorded and monitored by the network virus/worm 
sensor a virus mon i tor , the abnormal events defined in policies and in_the plurality of 
detection rules i n the v i rus mon i tor , and wherein the network virus/worm sensor 
v i rus mon i tor generates an abnormal behavior report which is evaluated by one of 
said server computers to a server wh i ch determine[[s]] an action to perform; 

computer code for providing virus c l ean i ng agents an anti-virus agent f rom 
known viruses and unknown viruses subsequently analyzed; an4 

computer code for creating a detection module that detects whether a client 
device is infected with a virus and tr i gg e rs th e i ntroduct i on of^ 

computer code for creating an anti-virus infection module that overwrites s o 
that the virus in the client device with the anti-virus agent i s overwr i tten^ and 

computer code for creating a an ant i- v i rus agent payload created based on 
features of the s ele ct e d detected computer virus or computer worm, wherein the 
pavload cleans and repairs and performs as a c l oanlnq/ropa i r i nq pav l oad capab l e 
of c l ean i ng and repa i r i ng damage done to the client device; and 

computer readable medium for storing the computer code. 

22. (original) Computer program product as recited in claim 21 , further 
comprising: 



Application/Control Number: 10/683,582 
Art Unit: 2434 



Page 10 



computer code for collecting selected network environmental information and 
network configuration information by the network virus/worm self registration module 
during an initialization phase. 

23. (original) Computer program product as recited in claim 22, wherein 
when the network is an IP based type network, the selected network environmental 
information includes an IP address for all of the relevant client devices included in the 
network. 

24. (original) Computer program product as recited in claim 23, wherein 
the network configuration information includes self configuration information related to 
an appropriate IP address for the network virus/worm sensor. 

25. (original) Computer program product as recited in claim 24, wherein 
the network configuration information includes locations of all relevant server 
computers. 

26. (original) Computer program product as recited in claim 25, wherein 
selected ones of the relevant server computers are identified as controllers. 

27. (original) Computer program product as recited in claim 26, wherein 
each of the identified controllers includes a rules engine used to store and source a 
plurality of detection rules for detecting computer viruses and worms and an outbreak 
prevention policy (OPP) distribution and execution engine that provides a set of anti- 
virus policies, protocols, and procedures suitable for use by a system administrator for 
both preventing viral outbreaks and repairing any subsequent damage caused by a viral 
outbreak. 

28. (original) Computer program product as recited in claim 27, further 
comprising: 
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during the initialization phase, 

updating each of the rules engines associated with each of the identified 
controllers with a set of detection rules for detecting computer viruses and worms. 

29. (original) Computer program product as recited in claim 27, further 

comprising: 

computer code for updating each of the outbreak prevention policy distribution 
and execution engines associated with each of the identified controllers with a set of 
anti-virus policies, a set of anti-virus protocols, and a set of anti-virus procedures during 
the initialization phase. 

30. (currently amended) Computer program product as recited in claim 
21 , wherein in a first mode the bandwidth of the network is substantially unaffected by 
the network v i rus/mon i tor virus/worm sensor, the network v i rus/mon i tor virus/worm 
sensor not removing or adding network traffic but copying data packets, and wherein 
when the network virus/worm sensor detects a computer virus or a computer worm, the 
network virus/worm sensor switches to a second mode such that only those data 
packets infected by the computer virus are not returned to the network. 



Allowable Subject Matter 

8. Claims 1 -9 and 1 1 -30 are allowed. 

The following is an examiner's statement of reasons for allowance: The 
applicants have submitted clear arguments and amendments on 12/04/2008 that 
overcome the prior art of record. 

As per claims 21-30, the claims also recite a computer program product, which 
has a computer readable medium for storing the computer code. The Examiner 
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interprets tliis to be liardware memory, as tauglit in tine applicant's specification in 
paragrapli 105 of the publication and also displayed in Figure 19 of the applicant's 
drawings. 

Any comments considered necessary by applicant must be submitted no later 

than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to JASON K. GEE whose telephone number is (571)272- 
6431 . The examiner can normally be reached on M-F, 7:00 am to 4:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-381 1381 1 . The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Jason Gee 
Patent Examiner 
Technology Center 2400 
03/05/2009 



/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



